Monitoring Netwitness with Zabbix

This post is completely unsupported by RSA Support and indeed RSA, but it might be interesting if you want to try it.

In Netwitness 10.X the current weakness in the topology is that the SA Server is a single point of failure and it monitors the other components in your environment. If the monitoring on your SA Server has a problem would you actually be aware of it?

This will copy a standard agent configuration file and pre-shared key to encrypt the Zabbix Server and Zabbix Agent communication. It will also open a firewall port to allow communication from the Zabbix Server in this case 192.168.123.177 to each Security Analytics appliance on tcp port 10050

The following files should be copied to /etc/puppet/modules/base/files

zabbix_agentd.confzabbix_agentd.psk

The advantages of monitoring are:

Ability to make nice graphs

Ability to have a Map of your infrastructure to see any problems easily.

I've also copied a few Zabbix Checks that can be run by using the check type "SSH Agent". Note in this example I used the root account, but best practise would be to create a specific Zabbix account on each system. Again this could be done using puppet.